I am cleaning up from the last person who took care of the network, and part of that is re-implementing a 30 day password expiration and a set of rules that would require passwords to be a little more complex than "scruffy". How do I go about setting this up? One of the things I am concerned with is resetting my admin password and messing something up. Can I exempt the administrator account from this and just change the password for that manually? Or does the policy have to go over the entire domain no matter what account it is?

How is your AD organised at the moment? You can choose to apply the default domain policy at top level to all authenticated users - this would indeed affect all your accounts. Or if you have OU's setup, pull the admin account(s) out and put them in their own OU and just apply the default policy to other users.

Or indeed just set the Administrator accounts passwords to "Never Expire" and regularly plan to change them at the same time...

30 days is a bit short in some circumstances - if users have to change their password too often, you'll start to see post-it notes with passwords on monitors everywhere :-)

Yeah, I kind of thought 30 days was a little short-I know at my last job people complained about having to change their passwords every 90 days. I will give the 90 days a shot.

That's actually a pretty good idea. I agree that 30 days is a little to short too. Changing your password is a good habit to get into but if it's such a short time period people will just start using something they can increment. That's no good either.

Users don't like change. 30 days is a little short, in my opinion. We run at 42 days and even then the users complain it's too short. Give everyone lots of notice and show them how to come up with complex passwords (I spent hours last month helping new students do this).

We manually changed our Admin password to not expire. We have a handful of others that, for various reasons, also don't expire.

And we now happily point everyone who complains to our local government rules on password policies (we're a school so we have to abide by them).

Had the same problem at my last place with complexity requirements. I was told by the IT manager to switch them off for people.....I later moved his account into the seperate OU along with all the service and admin accounts so that he didn't get the policy applied and kept it on for the other users.

We did change the pw policy from 60-90 days due to the complaints, we still had the post it problem with passwords though and often people knew other peoples passwords as it was not a disciplinary offence where we worked.

If you have a 2008R2 AD you can do some pretty sweet things with your password policies.

With 2008 also you can use PSO to fine tune specific accounts/groups with different password policies. The admins should actually have stronger password policies than the users. If you have 2003 or earlier though it's a one shot policy.

Just my 2 cents but I would recommend 45 days instead of 30 days. But tell them to pick a day of the month--the 1st is always good--to change their passwords. I've found that "most" of my users will do this. (Here we have a couple other passwords that also have to be changed for programs that we use.)

If you set it to 30 days then you must rely on them to change their password when it comes up with the prompt "Your password will change in 9 days, do you want to chagne it now?" Most people will ignore this. And many, when they get down to 1 day, will ignore it and think "I'll change it later in the day." Then all of a sudden I get a call "How come I'm getting error message in this program? How come the intranet is prompting me for a log in? How come I can't print."

We started with 30 days years ago. When I changed it to 45 days and encouraged users to pick a day of the month to change passwords I found I reduced my help desk calls by 90% related to password resets.

You might find NetWrix Password Expiration Notifier very useful for your implementation, because it helps to minimize the number of issues related to password expiration. The product has a freeware edition.

0

This topic has been locked by an administrator and is no longer open for commenting.